Hack the iPhone - Partially unlocked iPhone will allow you to use existing AT&T SIM
The iPhone hackers at iPhone Dev Wiki are claiming to have partially unlocked the iPhone using an application called iASign. It doesn't unlock the iPhone fully so you can use it with other companies but the breaking news is it will allow you to use any of the existing prepaid Cingular, AT&T, and AT&T's MVNO's SIM cards so you don't need to get a 2-year contract with AT&T.
The folks at iPhone Dev Wiki are working overtime to free the iPhone from AT&T clutches (though Apple doesn't seem to be complaining), so far they seem to have got partial success. Folks at Gizmodo are currently testing to see if this indeed means freedom from AT&T's iPhone data plans.
One of the benefits of this iPhone hack is that it will allow you to enjoy corporate rates which is currently not available with iPhone plans. It is still early to figure out which of the iPhone features will not work with this iPhone hack, as features like Visual voicemail etc will probably need the iPhone data plans, so it would be wise to wait and watch on how the story unfolds on this one. They have also released only MAC OS X binary and source code for now as they are finding the Windows binary a problem to get.
Below are comments from the experts themselves on what they think of unlocking the iPhone:
"All problems with unlocking lie in the baseband, the radio chipset for the iPhone. The chipset is an S-Gold2, and don't come in the chat and give us links to PapaUtils, we can't use them. Now the iPhone only has one lock, a network personalization lock. This lock means the MCC(US=310) and the MNC(AT&T=410) must match the first six digits of the SIM cards IMSI. This check is done in the baseband firmware itself. I'm not really sure where yet, but that isn't really relevant. The only thing standing in the way of an unlock is the baseband. All the other sim checks are known and can be patched out. We even know the AT command to do the unlock. It's 'AT+CLCK="PN",0,"xxxxxxxx"'. But good luck finding those x's. They are called the NCK, or Network Control Key, and are believed to be unique in everyones phone. Forget brute force(time impractical) and the obvious entries. If you still think bruteforce is a good idea, read this. Further, there is a limit of 3-10 unlock attempts per phone, after which the firmware will "hard-lock" itself to AT&T. So why can't we just patch the firmware? The firmware, located in the ramdisk at /usr/local/standalone/firmware/ICE03.12.06_G.fls, is signed. See here for what is known about the file. The sig is checked in the baseband bootloader. The updater program, bbupdater, only checks a checksum, which can be changed. The update will take, but then the phone won't boot because the sigs don't match.
We worked two solid days on disasseming the radio fw. There are a few backdoors, but none that would lead to an unlock. If you are *good* with disassembling ARM, PM geohot for the idb. We've documented a lot of functions pretty well. Although, this firmware is very difficult to work through. I'm 90% sure the password check happens in the function called pwdcheck, but I haven't found it yet. For all we know there could be a simple algorithm to generate the NCKs that we've missed."
They seem to be working hard to hack the iPhone to unlock the it fully, so stay tuned @ iPhone Hacks for more on this story. You can also join the action at #iPhone IRC channel.
You can follow this conversation by subscribing to the comment feed for this post.
